Techaisle’s recently completed study on SMB IT Decision Making Authority: ITDM vs. BDM, examining the balance in SMB IT decision making authority between IT decision makers (ITDMs) and business decision makers (BDMs) shows that BDMs are becoming increasingly involved in SMB cloud and security management processes. In 76 percent of SMBs BDMs have active roles in cloud security and in a whopping 87 percent of SMBs they are active in mobility security management.

Techaisle’s SMB IT Decision Making Authority: ITDM vs. BDM report provides data to substantiate a common theme: business management is taking a more active role in IT acquisition, deployment and management. This is especially true in cloud and mobility as BDMs are able to directly procure systems that support their business needs (such as CRM systems used by sales management) – avoiding IT’s processes and timeframe for deployment, and in some cases, avoiding input from IT altogether.

When we speak to ITDMs or IT suppliers who work with IT managers we are often exposed to the counter-argument against this newfound BDM freedom: that without effective IT oversight, cloud systems can become disconnected from the corporate IT infrastructure, creating silos of data, and potentially, security, audit, compliance and privacy risks.

To obtain insight into this issue, Techaisle asked survey respondents to identify who (by area of responsibility) has primary responsibility in each of 10 cloud security areas and 12 mobility security areas. Looking across both groups, we see at a glance that in both the small and mid-sized businesses business management is viewed as a source of access policy but the management of the security process is largely the preserve of IT.

Comparing Cloud and Mobility Security Management

The study shows that there are three key players in managing cloud and mobility security within SMB organizations – Business Management, IT Management and Service Providers. Business management involvement is higher than IT management in mobility security, 87 percent vs. 68 percent. Drilling down into the data we find that SMB BDMs take an active role in five out of twelve mobility security areas and have primary responsibility in seven security areas.

On the other hand, SMB BDM involvement in cloud security management is 76 percent which is almost same as ITDM at 78 percent. But unlike mobility security management, BDMs are actively involved in three cloud security areas and have primary responsibility in only one security area.

Within the mid-market businesses, IT management has a higher percent of involvement than business management for both mobility and cloud security administration. ITDMs actively participate in five of twelve mobility security areas and five of ten cloud security areas.

The above data does not imply that BDMs and ITDMs are not involved in all security management areas; in fact, they are but the roles and responsibilities shuttle between the two principle SMB custodians.

Comparing Small and Mid-market Businesses for Cloud security management

Drilling down into the cloud security management process only, the data reveals that BDMs are responsible for setting access policy in over 60 percent of cases – but all other steps in the process are primarily the responsibility of IT but with involvement from BDMs, from user authentication to ensuring consistency with audit, regulatory and compliance requirements and to ensuring that backup is regular, effective and testing.

When we turn our attention to the mid-market businesses, the first finding that leaps out at us is the more prominent role played by business management. In nine of the ten cloud security activities covered in the survey, medium business respondents report more non-IT management involvement than their small business peers – and in one step in the cloud security process (ensuring consistency with audit, regulatory and compliance requirements) medium business BDMs have similar level of responsibility as ITDMs.

Role of Service Provider in Securing SMB Cloud and Mobility solution deployments

Survey data presents a very interesting dichotomy about the role of service providers in securing SMB cloud and mobility solution deployments. Service providers are involved in 47 percent of SMBs for cloud security which is 35 percent higher than their involvement in mobility security. But for mid-market businesses they are 50 percent more involved in mobility security than cloud security. Out of the twelve areas, key roles played by service providers for mobility security are “Authenticating user identities” and “Deploying and updating malware and other security technologies on corporate-owned endpoint devices”. Within the ten different cloud security areas, service providers are most involved in “Safeguarding against unauthorized access” and “Authenticating user identities”.

It is interesting to note that both small and mid-sized businesses rely on cloud suppliers through the security process – interesting primarily because (as the saying goes) “you can’t outsource responsibility”. SMBs are free to rely on cloud suppliers for assistance through the cloud security process, but if/where there are breaches or other issues, the responsibility still rests with the business, not with the supplier. Techaisle believes that the proportion of SMBs –both small and medium businesses – who report that their cloud suppliers have responsibility for one or more cloud security activities should take a closer look at whether and how they might separate responsibility (which is a management requirement) from delivery (which may well be best outsourced to a cloud vendor). Here again, SMBs require guidance from security specialists to align practices with requirements.

The arguments for cloud are clear, and well-aligned with the specific interests of small and mid-market businesses, and ITDMs and BDMs. However, despite what appears to be a 24x7 stream of cloud information available to everyone with an internet connection, cloud is not ubiquitous – meaning that there are objections that prevent cloud from being introduced in some SMB environments.

To better understand cloud objections, Techaisle’s SMB Cloud Computing Adoption survey asked respondents “What are the key inhibitors to embracing cloud – what factors might prevent you from adopting new cloud solutions, and/or accelerating the use of current cloud solutions?”

Responses show that the traditional cloud bugbears of security and control continue to furnish obstacles to increased cloud penetration/acceleration. As the figure illustrates, SMBs are most worried about security of applications and corporate data, and about control over data, users and applications.

Mid-market businesses also register a high rate of concern regarding the difficulty of integrating operational systems across hybrid traditional/cloud-based systems – and objection which, in Techaisle’s opinion, has real merit and will require attention (and solutions) from the cloud supplier community. This issue is of particular concern to firms with 100-249 employees – large enough to have diverse systems requiring integration, but not large enough to have deep IT resources capable of addressing the problem. We expect that this concern will spread both to larger firms as they move more workloads from on-premise to cloud or hybrid platforms, and to smaller firms as they adopt more SaaS systems (requiring cloud-to-cloud integration).

A drill down into inhibitors by employee size segment shows that the smallest organizations in both the small and mid-markets – the 1-9 employee micro-businesses, and the 100-249 medium businesses – have some unique issues. Micro-businesses worry about vendor lock-in – a reasonable concern, as these firms have neither the technical expertise nor the purchasing power to extricate themselves from supplier relationships if they experience difficulties. The 100-249 employee size groups, as detailed above, are worried about integration. Consistently, though, SMBs are concerned with questions of security and data/user/application control. Suppliers able to address these issues will benefit from expanded market opportunity.

Looking at this issue through the ITDM/BDM lens, we see that the principal objections – with one important exception – are defined by the roles that each group plays within their organizations. BDMs, as might be expected, are very concerned with control over business data (can we access and manage data in the cloud as well as we can on premise?), with connectivity (can we get to information and applications when we are on the road?), and with vendor lock-in (which can be seen as an extension of the data control issue). ITDMs, on the other hand, are more concerned with technical issues than their BDM peers: they are more likely to cite limitations in service access and integration issues as cloud impediments.

The one area where the pattern does not correspond to expectations is in security, where BDMs express higher levels of concern than ITDMs. Given that ITDMs are responsible for most aspects of cloud security, we would have anticipated more security-related concern from ITDMs, if not necessarily lower rates of security-related worry on the part of the BDM respondents.